design for storing trusted domain passwords in ldap

Andrew Bartlett abartlet at
Mon Jan 22 09:51:22 GMT 2007

On Mon, 2007-01-22 at 10:37 +0100, Volker Lendecke wrote:
> On Mon, Jan 22, 2007 at 10:32:26AM +0100, Michael Adam wrote:
> > 2) additional attribute sambaPasswordHistory (along with
> >    sambaPwdHistoryLength) in sambaTrustedDomainPassword
> The sambaPwdHistoryLength would not be necessary I think.
> You should be able to figure that out from the value length.

I don't like the idea of overloading the sambaPasswordHistory.  The
existing format of this attribute is <16 bytes of salt><MD5(salt
+NTpassword).  We need the original plaintext or NT password here.

BTW, I should have mentioned:  If we store the plaintext password for
the trust, then it becomes possible to upgrade to using Kerberos to
contact the trusted domains.  This may be desirable, even if we are not
'doing ADS'.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list